Hyperdbg on virtualized Windows7 - Error #2

[Federico Franzoni]

Hi,
i'm trying to get hyperdbg working on a windows 7 os, running as a guest on a qemu-kvm virtual machine.
I've got an i7 cpu and this is the output of the Coreinfo tool from inside the guest: http://pastebin.com/ZzrkWxAM

I edited video.c adding:
#define VIDEO_ADDRESS_MANUAL
#define DEFAULT_VIDEO_ADDRESS 0xFD000000
(Looking at video adapter memory addresses i find these ranges:
     Memory Range 0xFD000000 - 0xFDFFFFFF
     Memory Range 0xFEBD4000 - 0xFEBD4FFF
     Memory Range 0x000A0000 - 0x000BFFFF
)

I compiled hyperdbg from svn sources following instructions from INSTALL file and from online install guide, using tdm-gcc 4.6.1.

When I try "install" from the hypergui menu i get this error: "Unable to start driver service (error #2)".
Using Debug View gives me no more info about the problem.

What could i do to solve the problem?

PS: If i try using zip version sources or precompiled version i get the same error.

[Aristide Fattori]

Hi,

according to other reports by hdbg users, it appears you have been hit
by this bug: http://sourceforge.net/p/mingw/bugs/2121/

Would you try downgrading your mingw version and recompiling the driver?

Please let us know if it works.

> --
> You received this message because you are subscribed to the Google Groups
> "hyperdbg" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to hyperdbg+u...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
GnuPG Key on keyserver.pgp.com ID 0x25578128
http://security.di.unimi.it/~joystick/

[Federico Franzoni]

Hi,

Thanks for your answer.
It turns out i had the most recent version of gcc installed (instead of the 4.6.1). I downgraded tdm-gcc to 4.6.1 and recompiled hyperdbg.
Now the problem is solved!

Unfortunately, as soon as i get the "driver installed successfully" message, the system gets stuck.
I guess the cause is some video issue, but i can't figure out what i'm doing wrong.

Any ideas?

[Aristide Fattori]

Hi,

On Thu, Aug 7, 2014 at 6:05 AM, Federico Franzoni
<fed.fr...@gmail.com> wrote:
> Thanks for your answer.
> It turns out i had the most recent version of gcc installed (instead of the
> 4.6.1). I downgraded tdm-gcc to 4.6.1 and recompiled hyperdbg.
> Now the problem is solved!

Nice!

> Any ideas?

Would you be able to provide serial output? (i.e., add a serial
device to your VM configured so that it corresponds to COM1, enable
DEBUG in hyperdbg, recompile and try again). The output of DbgView
would be good too.

Thanks

[Federico Franzoni]

Il giorno giovedì 7 agosto 2014 09:12:56 UTC+2, joystick ha scritto:

Hi,

On Thu, Aug 7, 2014 at 6:05 AM, Federico Franzoni
<fed.fr...@gmail.com> wrote:
> Thanks for your answer.
> It turns out i had the most recent version of gcc installed (instead of the
> 4.6.1). I downgraded tdm-gcc to 4.6.1 and recompiled hyperdbg.
> Now the problem is solved!

Nice!

> Any ideas?

Would you be able to provide serial output?  (i.e., add  a serial
device to your VM configured so that it corresponds to COM1, enable
DEBUG in hyperdbg, recompile and try again). The output of DbgView
would be good too.

I recompiled hyperdbg with DEBUG enabled and tried again:
DbgView doesn't capture anything, while through the COM1 port i can read this:

[vmm] fs is 0xffffffff82933d20
[vmm] SUCCESS: VMXON operation completed
[vmm] VMM is now running
[vmm] SUCCESS: VMCLEAR operation completed
[vmm] Setting Host CR3 to 000000007fe63000
[vmm] Clearing VMX abort error code: 00000000
[vmm] Setting Guest RSP to ffffffff8c037aac
[vmm] Setting Guest RIP to ffffffff95357e33
[vmm] Setting Host RSP to ffffffff84b79fff
[vmm] Setting Host RIP to ffffffff95357d90
[vmm] SUCCESS: EPT enabled.

 

Thanks

--
GnuPG Key on keyserver.pgp.com ID 0x25578128
http://security.di.unimi.it/~joystick/

Thanks again  for your help

[Aristide Fattori]

Hi,

according to your serial output everything should be fine. Does the
system gets completely stuck after printing these messages or when you
press f12?

> --
> You received this message because you are subscribed to the Google Groups
> "hyperdbg" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to hyperdbg+u...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Federico Franzoni]

Right after the "Success" message appears on the screen. I also tried to press F12 to regain control but didn't work.
I'm now trying with different cpu configurations but nothing seems to help so far.

[Lorenzo Flore]

Hi,

this is the libvirt configuration of my debian vm for kvm... everything is working fine. I haven't tried any windows guest yet, but I hope it can be of help.

http://pastebin.com/7z3efQFH

[Federico Franzoni]

Hi Lorenzo,
Thanks for your help. I've compared your configuration to mine and they are very similar.
I tried setting the same cpu configuration, changing emulator (kvm-spice to kvm) and also adding the -s option to the qemu command,
but nothing worked.

Any suggestion will be appriciated

[Aristide Fattori]

Are you using the same kvm version of lorenzo (@lorenzo can you please specify which version you are using?)?

Other things:
1) Did you try using the latest kvm version from their repo?

2) can you trying disabling pae in yoir win 7 guest? I never had any problem with win xp pae guests but I don't remember thoroughly testing with win 7 pae.

3) is there a particular reason why you're using  kvm? If you're in a hurry of having hdbg running I'd suggest to use vmware workstation. Otherwise, it would be cool to know why it doesn't work on kvm + windows as, afaik, nobody but you has tried yet.

[Lorenzo Flore]

On Wed, Sep 3, 2014 at 8:08 AM, Aristide Fattori <aristid...@gmail.com> wrote:

Are you using the same kvm version of lorenzo (@lorenzo can you please specify which version you are using?)?

$ kvm -version

QEMU emulator version 2.0.0 (Debian 2.0.0+dfsg-6+b1), Copyright (c) 2003-2008 Fabrice Bellard

Other things:
1) Did you try using the latest kvm version from their repo?

2) can you trying disabling pae in yoir win 7 guest? I never had any problem with win xp pae guests but I don't remember thoroughly testing with win 7 pae.

3) is there a particular reason why you're using  kvm? If you're in a hurry of having hdbg running I'd suggest to use vmware workstation. Otherwise, it would be cool to know why it doesn't work on kvm + windows as, afaik, nobody but you has tried yet.

Il 03/set/2014 01:43 "Federico Franzoni" <fed.fr...@gmail.com> ha scritto:

>
> Hi Lorenzo,
> Thanks for your help. I've compared your configuration to mine and they are very similar.
> I tried setting the same cpu configuration, changing emulator (kvm-spice to kvm) and also adding the -s option to the qemu command,
> but nothing worked.
>

The -s option is just useful for using gdb from the host, it's not required for hyperdbg to work :)

[Federico Franzoni]

Il giorno mercoledì 3 settembre 2014 08:08:31 UTC+2, joystick ha scritto:

Are you using the same kvm version of lorenzo (@lorenzo can you please specify which version you are using?)?

Yes. QEMU 2.0.0.
 

Other things:
1) Did you try using the latest kvm version from their repo?

I now installed QEMU 2.1.0 and tried again but nothing changed.
 

2) can you trying disabling pae in yoir win 7 guest? I never had any problem with win xp pae guests but I don't remember thoroughly testing with win 7 pae.

 I disabled pae but it didn't help.
 

3) is there a particular reason why you're using  kvm? If you're in a hurry of having hdbg running I'd suggest to use vmware workstation. Otherwise, it would be cool to know why it doesn't work on kvm + windows as, afaik, nobody but you has tried yet.

 I'm trying not to use closed source tools,
 and kvm is the only open source tool that supports nested virtualization.
 Anyway I will surely follow your suggestion if I don't find a solution to this problem.

 What else can I try to get it work on kvm?
 Could some architecture/cpu configuration changes help?

[Aristide Fattori]

Mmh, I don't have any more suggestions. Try to post your kvm
configuration, maybe we can spot something fishy. If not, I'm afraid
the only thing left is some printf debugging (well, serial-debugging
actually): begin by printing each vm exit code and try to understand
if it always gets stuck at the same point.

On Fri, Sep 5, 2014 at 2:49 AM, Federico Franzoni